Remove secret keys from all documentation and code. #796
Assignees
Labels
Comments
excelsior
added a commit
that referenced
this issue
Apr 25, 2025
|
I fixed most of the vulnerabilities, except these:
{
"file"=>"C:/Users/Public/Fortify/SC/jobs/575d502a-25a0-466d-b5aa-62eca7607efa/work/Src/credentialregistry/Dockerfile copy",
"start_line"=>26
}There's no such file in the repository.
The whole purpose of that script is to read a file from the path specified by the user and generate a token from it. The script can't be called from the outside and the file's content isn't exposed in any way. What's the best way to fix it?
{
"file"=>"C:/Users/Public/Fortify/SC/jobs/575d502a-25a0-466d-b5aa-62eca7607efa/work/Src/credentialregistry/db/seeds/envelope.json",
"start_line"=>6
}There's no such file in the repository anymore. |
|
Row 7: Ignore Row 10 and 13: Move that into the markdown documentation instead of leaving it as a Row 11: Ignore Thank you, @excelsior . |
excelsior
added a commit
that referenced
this issue
Apr 28, 2025
excelsior
added a commit
that referenced
this issue
Apr 28, 2025
excelsior
added a commit
that referenced
this issue
Apr 28, 2025
|
@rohit-joy All the violations have been addressed and both repos contain the necessary changes. |
|
@rohit-joy can this be closed? If not, identify all open items. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Some secret keys hardcoded were flagged in security scans. Please remove all of them.
Recommendations:
In Tests, generate the keys at runtime.
In Documentation, leave a small excerpt or placeholder indicating what key should go where.
In product/service runtime, get the keys from a secret store. Kubernetes has drivers that can read and fill mount points inside of Pods with secrets from a secret store.
The text was updated successfully, but these errors were encountered: